dabz / kafka-security-playbook Goto Github PK

ZK log

zookeeper | [2021-02-05 02:26:36,440] INFO Started ServerConnector@636be97c{HTTP/1.1,[http/1.1]}{0.0.0.0:8080} (org.eclipse.jetty.server.AbstractConnector)
zookeeper | [2021-02-05 02:26:36,440] INFO Started @768ms (org.eclipse.jetty.server.Server)
zookeeper | [2021-02-05 02:26:36,441] INFO Started AdminServer on address 0.0.0.0, port 8080 and command URL /commands (org.apache.zookeeper.server.admin.JettyAdminServer)
zookeeper | [2021-02-05 02:26:36,445] INFO Using org.apache.zookeeper.server.NIOServerCnxnFactory as server connection factory (org.apache.zookeeper.server.ServerCnxnFactory)
zookeeper | [2021-02-05 02:26:36,452] INFO Setting -D jdk.tls.rejectClientInitiatedRenegotiation=true to disable client-initiated TLS renegotiation (org.apache.zookeeper.common.X509Util)
zookeeper | [2021-02-05 02:26:36,470] WARN No password found for user: null (org.apache.zookeeper.server.auth.SaslServerCallbackHandler)
zookeeper | [2021-02-05 02:26:36,472] ERROR Unexpected exception, exiting abnormally (org.apache.zookeeper.server.ZooKeeperServerMain)
zookeeper | java.io.IOException: Could not configure server because SASL configuration did not allow the ZooKeeper server to authenticate itself properly: javax.security.auth.login.LoginException: No password provided
zookeeper | at org.apache.zookeeper.server.ServerCnxnFactory.configureSaslLogin(ServerCnxnFactory.java:243)
zookeeper | at org.apache.zookeeper.server.NIOServerCnxnFactory.configure(NIOServerCnxnFactory.java:646)
zookeeper | at org.apache.zookeeper.server.ZooKeeperServerMain.runFromConfig(ZooKeeperServerMain.java:143)
zookeeper | at org.apache.zookeeper.server.ZooKeeperServerMain.initializeAndRun(ZooKeeperServerMain.java:106)
zookeeper | at org.apache.zookeeper.server.ZooKeeperServerMain.main(ZooKeeperServerMain.java:64)
zookeeper | at org.apache.zookeeper.server.quorum.QuorumPeerMain.initializeAndRun(QuorumPeerMain.java:128)
zookeeper | at org.apache.zookeeper.server.quorum.QuorumPeerMain.main(QuorumPeerMain.java:82)

First of all, thank you for this repo, it's awesome, I love it!

This repo has a running example for kerberized Kafka using SASL_PLAINTEXT, it would be great to have an example with SASL_SSL as well.

Does that make sense? If so, I can also contribute it.

Env:
windows 10 running minikube 1.7.2 with virtualbox driver, using Gitbash

Problem:

cd /kerberos, and run ./up getting the errors below (unqiue to windows it appears as it works on my mac, using the latest repo)

Successfully built 2e29b2238f98
Successfully tagged kerberos_client:latest
Recreating 3376ac7adf80_kdc ... error

ERROR: for 3376ac7adf80_kdc Cannot create container for service kdc: invalid volume specification: 'C:\dev\code\GitHub\old.kafka-security-playbook\kerberos\kdc\krb5.conf:/etc/kdc/krb5.conf:rw'

ERROR: for kdc Cannot create container for service kdc: invalid volume specification: 'C:\dev\code\GitHub\old.kafka-security-playbook\kerberos\kdc\krb5.conf:/etc/kdc/krb5.conf:rw'

I am having this problem when using LDAP. I use server.properties in this repositoy

[2020-05-22 04:39:49,183] ERROR Fatal error during SupportedServerStartable startup. Prepare to shutdown (io.confluent.support.metrics.SupportedKafka)
java.lang.ClassNotFoundException: io.confluent.kafka.security.ldap.authorizer.LdapAuthorizer
	at java.net.URLClassLoader.findClass(URLClassLoader.java:382)
	at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
	at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:349)
	at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
	at java.lang.Class.forName0(Native Method)
	at java.lang.Class.forName(Class.java:348)
	at org.apache.kafka.common.utils.Utils.loadClass(Utils.java:335)
	at org.apache.kafka.common.utils.Utils.newInstance(Utils.java:324)
	at kafka.security.authorizer.AuthorizerUtils$.createAuthorizer(AuthorizerUtils.scala:35)
	at kafka.server.KafkaConfig.<init>(KafkaConfig.scala:1382)
	at kafka.server.KafkaConfig.<init>(KafkaConfig.scala:1238)
	at kafka.server.KafkaConfig$.fromProps(KafkaConfig.scala:1218)
	at kafka.server.KafkaConfig$.fromProps(KafkaConfig.scala:1215)
	at kafka.server.KafkaConfig.fromProps(KafkaConfig.scala)
	at io.confluent.support.metrics.SupportedServerStartable.<init>(SupportedServerStartable.java:52)
	at io.confluent.support.metrics.SupportedKafka.main(SupportedKafka.java:45)

Using the TLS demo works as expected.
I can bring up the cluster and use the produce and consume example as recommended at the end in the script named up.

[OK] -> docker-compose exec kafka kafka-console-producer --broker-list kafka.confluent.local:9093 --topic test --producer.config /etc/kafka/consumer.properties
[OK] -> docker-compose exec kafka kafka-console-consumer --bootstrap-server kafka.confluent.local:9093 --topic test --consumer.config /etc/kafka/consumer.properties --from-beginning

[FAILE] -> docker-compose exec kafka kafkacat -L -b kafka.confluent.local:9093 -F /etc/kafka/kafkacat.conf -C -t test

This is the error message:
kafkacat: error while loading shared libraries: libssl.so.10: cannot open shared object file: No such file or directory

Some examples are using CP4.1 docker containers. It would be great to update them to 5.4.

The Readme file in the root directory has become quite large. We may want to split it up, and put the content in the respective subdirectories.

Kubernetes is quickly becoming a standard for deployment of containerized apps, and is used extensively in production. Therefore we may want to give examples for setting the different security configurations up in Kubernetes, as well. Here is an example: https://github.com/1123/kafka-security-playbook/tree/master/kubernetes/plain